Articles Public-Private Cybersecurity Kristen E. Eichensehr* Calls for public-private partnerships to address U.S. cybersecurity failures have become ubiquitous. But the academic literature and public debate have not fully appreciated the extent to which the United States has already backed into a de facto system of “public-private cybersecurity.” This system is characterized by the surprisingly important, quasi-governmental role of the private sector on key cybersecurity issues, and correspondingly by instances in which the federal government acts more like a market participant than a traditional regulator. The public-private cybersecurity system challenges scholarly approaches to privati- zation, which focus on maintaining public law values when government functions are contracted out to private parties. The informal and complicated structure of public-private relationships in cybersecurity renders concerns about public law values at once more serious and more difficult to remedy. This Article first explores the line between public and private functions and provides a descriptive account of the public-private cybersecurity system. It highlights the relative roles of the U.S. government and private sector in four important contexts related to international cybersecurity threats: (1) disrupting networks of infected computers used by transnational-criminal groups (“botnet takedowns”), (2) remediating software vulnerabilities that can be used for crime, espionage, and offensive operations (“zero-day vulnerabilities”), (3) attributing cyber intrusions to state-sponsored attackers, and (4) defending privately-owned systems and networks from sophisticated, nation-state-sponsored attackers. The Article then uses the public-private cybersecurity system to challenge and complicate existing scholarship on privatization. Procedurally, the public- * Assistant Professor, UCLA School of Law. For helpful conversations and comments on earlier drafts, I am grateful to Tendayi Achiume, Sam Bray, Fred Cate, Anupam Chander, Beth Colgan, Sharon Dolovich, Mark Grady, Jennifer Granick, Duncan Hollis, Herb Lin, Jon Michaels, Paul Ohm, Ted Parson, Kal Raustiala, Condoleezza Rice, Richard Re, Sidney Tarrow, Amy Zegart, and participants in the Hoover Institution Summer Security Fellows Workshop, Cornell International Law/International Relations Workshop, American Society of International Law Midyear Research Forum, and AALS National Security Law Section Works-in-Progress session. Thanks to UCLA School of Law and the Hoover Institution for research support and to Andrew Brown, Danielle Hesse, Vincent Marchetta, and Kevin Whitfield for excellent research assistance. This Article reflects developments through January 2017, when it was finalized for publication. EICHENSEHR.TOPRINTERV2 (DO NOT DELETE) 2/7/2017 3:05 PM 468 Texas Law Review [Vol. 95:467 private cybersecurity system differs from traditional privatization because pri- vate actors—not the government—decide what functions they should perform, and private actors operate outside of the contractual frameworks that have tra- ditionally restrained private contractors. Substantively, the cybersecurity con- text implicates public law values addressed in prior work—including accounta- bility, transparency, and due process or fairness—but it also raises additional concerns about security and privacy. Evaluating how the public-private cybersecurity system attains and falls short of public law values yields broader lessons for cybersecurity governance and for privatization. The public-private cybersecurity system shows that con- cerns about public law values are not unidirectional—sometimes threats to pub- lic values come from the government, not the private sector. On the other hand, while empowered private parties play a crucial role in cybersecurity and in many ways currently support public values, this alignment is a present fortuity, not a structural feature, and so may shift in the future, posing new threats to public law values. These complexities require new kinds of context-dependent solutions to safeguard public law values. The Article concludes by suggesting several such remedies for the public law failings it identifies. INTRODUCTION .......................................................................................... 469 I. DE FACTO PUBLIC-PRIVATE CYBERSECURITY ................................... 474 A. The Public-Private Divide ....................................................... 475 B. Manifestations of Public-Private Cybersecurity ..................... 478 1. Botnet Takedowns ............................................................. 479 2. Securing Software ............................................................. 482 3. Publicly Attributing State-Sponsored Intrusions ............... 489 4. Defending Private Networks ............................................. 494 C. Incentives for Participation in Public-Private Cybersecurity .. 499 1. Governmental Incentives ................................................... 500 2. Private Incentives .............................................................. 502 II. PRIVATIZATION & PUBLIC LAW VALUES ........................................... 504 A. The Procedural Challenges of Public-Private Cybersecurity .. 507 B. Expanding Public Law Values for Cybersecurity ................... 511 1. Accountability ................................................................... 512 2. Transparency .................................................................... 514 3. Due Process & Fairness ................................................... 516 4. Security .............................................................................. 516 5. Privacy .............................................................................. 518 III. PUBLIC LAW VALUES IN PUBLIC-PRIVATE CYBERSECURITY ............ 521 A. How “Publicized” Is the Current System? .............................. 522 1. Botnet Takedowns: Publicly Beneficial Partnerships ....... 522 2. Securing Software: Persistent Insecurities & Conflicting Incentives........................................................ 525 EICHENSEHR.TOPRINTERV2 (DO NOT DELETE) 2/7/2017 3:05 PM 2017] Public-Private Cybersecurity 469 3. Publicly Attributing State-Sponsored Intrusions: Increased Transparency, but Accountability Confusion ... 528 4. Defending Private Networks: Security & Public Values Compromises ..................................................................... 531 B. Promoting Public Law Values in Public-Private Cybersecurity .......................................................................... 534 CONCLUSION ............................................................................................. 536 Introduction [N]either government, nor the private sector can defend the nation alone. It’s going to have to be a shared mission—government and industry working hand in hand, as partners. —Barack Obama, Remarks at the National Cybersecurity Communications Integration Center, January 13, 20151 Calls to establish public-private partnerships in cybersecurity have become ubiquitous.2 From government officials3 to private sector 1. President Barack Obama, Remarks by the President at the National Cybersecurity Communications Integration Center (Jan. 13, 2015), https://www.whitehouse.gov/the-press- office/2015/01/13/remarks-president-national-cybersecurity-communications-integration-cent [https://perma.cc/ENG2-GG4G]. 2. BENJAMIN WITTES & GABRIELLA BLUM, THE FUTURE OF VIOLENCE: ROBOTS AND GERMS, HACKERS AND DRONES 74 (2015) (“[S]o pervasive is the understanding that the private sector has a key role to play in cybersecurity that the term ‘public-private partnership’ has become a cliché in the cybersecurity world.”). 3. See, e.g., President Barack Obama, Remarks by the President at the Cybersecurity and Consumer Protection Summit (Feb. 13, 2015), https://www.whitehouse.gov/the-press- office/2015/02/13/remarks-president-cybersecurity-and-consumer-protection-summit [https://perma.cc/5LZC-95MA] (“There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.”); Press Release, U.S. Dep’t of Homeland Sec., Statement by Secretary Jeh C. Johnson Regarding PPD-41, Cyber Incident Coordination (July 26, 2016), https://www.dhs.gov/news/2016/07/26/statement-secretary-jeh-c-johnson-regarding-ppd-41- cyber-incident-coordination [https://perma.cc/P8D6-DG7C] (explaining that Presidential Policy Directive 41 “re-enforces the reality that cybersecurity must be a partnership between the government and the private sector”). EICHENSEHR.TOPRINTERV2 (DO NOT DELETE) 2/7/2017 3:05 PM 470 Texas Law Review [Vol. 95:467 representatives,4 think tanks,5 expert commissions,6 and the media,7 “partnership” has become the watchword for remedying cybersecurity failures in the United States.8 But the academic literature and public debate have not fully appreciated the extent to which the United States has already backed into a de facto system of “public-private cybersecurity.”9 The public-private cybersecurity system is characterized by the surprisingly important, quasi-governmental 4. See, e.g., SCOTT CHARNEY ET AL., MICROSOFT, FROM ARTICULATION TO IMPLEMENTATION: ENABLING PROGRESS ON CYBERSECURITY NORMS 13 (2016), https://mscorpmedia.azureedge.net/mscorpmedia/2016/06/Microsoft-Cybersecurity- Norms_vFinal.pdf [https://perma.cc/8PF2-VBX5] (“Public/private partnerships will be the anvil on which we forge the